Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77342 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11589 invoked from network); 19 Sep 2014 15:38:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2014 15:38:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.178 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.178 mail-ie0-f178.google.com Received: from [209.85.223.178] ([209.85.223.178:42630] helo=mail-ie0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C1/D1-34453-BFD4C145 for ; Fri, 19 Sep 2014 11:38:36 -0400 Received: by mail-ie0-f178.google.com with SMTP id at20so3666005iec.23 for ; Fri, 19 Sep 2014 08:38:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=lLf3jChBopWOSETIl0i+e9fwiXG2iAVUbP9ZheZmCP8=; b=mZVfWuEpRFNx15+y3gS5xlGrmBZvHlECVgeMK+HAp1Z5eoeLBhR097EqQOmcYsRZZI Xjiufd7DcNVWr70/23uhlFMW/ZmMndV7ofgMA28rfinRoa+kYryZqTCmAdyDDHUtGYrV Pn4Q3QuD+xOUdxeyL55ZztP9maqs36xfRKYhv2WMJ/HtSHy3J03/HMlyzhIhdZyI+Jye LA6p5M0PdTT7EDr66peaNrjC7611YgXMBFqaxGsJz2cCz3F6FUgCSoiVNQXJJz2gaJgI icOkEfJgNLKqYOoA6ZmBbthKl7FHPdlNGzHIoUztRmybAexD5NvE1R2MLEQeW2x3dQvM mQwA== MIME-Version: 1.0 X-Received: by 10.42.38.134 with SMTP id c6mr1929064ice.16.1411140648712; Fri, 19 Sep 2014 08:30:48 -0700 (PDT) Received: by 10.50.197.164 with HTTP; Fri, 19 Sep 2014 08:30:48 -0700 (PDT) Date: Fri, 19 Sep 2014 11:30:48 -0400 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=20cf3036400318402005036cc973 Subject: OpenSSL bug in 5.4.33 and 5.5.17 From: rdlowrey@gmail.com (Daniel Lowrey) --20cf3036400318402005036cc973 Content-Type: text/plain; charset=UTF-8 Hi folks! I know this isn't the kind of fun stuff people want to deal with on Friday but ... In an effort to fix a very old (seven years old) DoS vulnerability involving encrypted streams I created a regression where feof() notifications on encrypted sockets are broken. This is present in both the most recent 5.4.33 and 5.5.17 releases. To be clear, this wasn't just a spurious change that resulted in a bug. The functionality was already problematic, it worked most of the time for most use cases but was a clear DoS problem. In any case, I've updated the relevant bug with a patch that *I believe* should solve the issue once and for all: - https://bugs.php.net/bug.php?id=41631 - https://bugs.php.net/patch-display.php?bug=41631&patch=bug41631.patch&revision=1411139621 This is a somewhat difficult thing to test for in isolation as it the right conditions can depend on network topography and edge-case scenarios, so I would appreciate it if someone involved with the horde project could build php against the new patch and verify that things work as expected before I merge this upstream. I believe (but haven't verified) that the same problem exists in the current 5.6 branch as well, so this needs resolution prior to 5.6.1 (not present in 5.6.0). Apologies that this made its way into releases :/ --20cf3036400318402005036cc973--